1. Introduction & Scope

This Privacy Policy explains how we collect, use, disclose, and protect personal data when you visit our website and purchase downloadable digital photo assets and other digital content (‘Digital Content’).

We operate one‑off purchases only (no subscriptions). By using our website, you acknowledge this Policy, our Terms & Conditions, and our Cookie Policy.

2. Key Roles & Definitions

‘WORLDWIDE DECISION LTD’, ‘we’, ‘us’ or ‘our’ refers to the controller named above.

‘Website’ means our site and online shop, account portal, and related pages.

‘Personal data’ has the meaning set out in UK GDPR Art. 4(1).

‘Processor’ means a service provider processing data on our behalf.

3. What Data We Collect

A) Data you provide: name, email, account credentials, billing address (if invoice requested), optional company name/VAT number (for business invoices), order details, support messages and attachments.
B) Payment data: payment method tokens, transaction IDs, authorization results, and anti‑fraud signals from our PCI‑DSS Level 1 payment service providers (we do not store full card numbers).
C) Usage & device data: IP address, device/browser type, OS, language, referral URLs, pages viewed, actions taken, timestamps, approximate location (derived from IP), and diagnostic logs.
D) Cookies & similar technologies: essential cookies for core functionality (cart, login, security), and (where you consent) analytics cookies and similar technologies. See Section 9 and our Cookie Policy for details.

4. Sources of Data

Directly from you when you create an account, place an order, or contact support.
From our payment processors (transaction metadata and anti‑fraud signals).
From analytics and tag management services (aggregated/ pseudonymous statistics where you have consented).

5. Purposes & Legal Bases

We process personal data for the following purposes under UK GDPR legal bases:

Provide the Website and deliver Digital Content — performance of a contract (Art. 6(1)(b)).
Account creation, authentication, and customer support — performance of a contract (Art. 6(1)(b)) and legitimate interests to operate our business (Art. 6(1)(f)).
Payment processing, fraud prevention, and security — performance of a contract (Art. 6(1)(b)), legal obligation (e.g., accounting), and legitimate interests in preventing abuse (Art. 6(1)(f)).
Compliance with law (e.g., tax, AML/KYC, sanctions screening where applicable) — legal obligation (Art. 6(1)(c)).
Analytics and performance measurement — consent (Art. 6(1)(a)) for non‑essential cookies; legitimate interests for essential security/operational logging (Art. 6(1)(f)).
Service communications about your account or order — performance of a contract (Art. 6(1)(b)).
Marketing (if you opt in) — consent (Art. 6(1)(a)); you can withdraw at any time.

6. Payment Processing & Anti‑Fraud

Card and wallet payments are processed by PCI‑DSS Level 1 certified payment service providers (PSPs) using 3‑D Secure where applicable. We receive only limited payment metadata (e.g., masked PAN, expiry month/year, transaction ID, AVS/CVV result, risk score). We do not store full card numbers on our servers.

We may conduct risk‑based checks (for example, cumulative spend above £5,000 within a 12‑month period or sanctions screening flags) and request identity or business verification documents. Failure to complete checks may result in order cancellation.

7. Disclosures to Processors & Recipients

We share personal data with trusted processors and recipients strictly for the purposes above, including:

Hosting and infrastructure providers;
Payment processors and anti‑fraud/chargeback services;
Customer support tools and email service providers;
Tag management and analytics platforms (e.g., Google Tag Manager and Google Analytics 4, where consented);
Professional advisers (legal/accounting) and authorities where required by law.

We require processors to implement appropriate security measures and to process data only under our instructions.

8. International Data Transfers

Where personal data is transferred outside the UK/EEA (e.g., to providers based in the US or other countries), we rely on appropriate safeguards such as the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses (SCCs), or adequacy decisions where applicable. You may request a copy of relevant safeguards (redacted) via the contact in Section 16.

9. Cookies, Analytics & Tracking

We use essential cookies for core features (e.g., cart, login, security). With your consent, we use Google Tag Manager to deploy Google Analytics 4 and similar tools to understand website performance and improve the user experience. You can manage your preferences at any time via the cookie banner and settings link on our Website. For details of specific cookies (e.g., WooCommerce SourceBuster sbjs_*; wordpress_* login cookies; internal analytics cookies), please see our Cookie Policy.

10. Data Retention

We retain: (a) account data for as long as your account is active and for up to 24 months of inactivity thereafter; (b) order and transaction records for at least 6 years to comply with tax and accounting obligations; (c) support correspondence for up to 24 months after resolution; (d) analytics data in accordance with our analytics provider’s retention settings and your consent choices.

We may retain data longer where necessary to establish, exercise, or defend legal claims, or to comply with legal obligations.

11. Security

We implement technical and organizational measures designed to protect personal data, including encryption in transit, access controls, least‑privilege access, secure development practices, and regular backups. No method of transmission or storage is 100% secure; you are responsible for safeguarding your account credentials.

12. Children’s Privacy

Our Website is intended for users aged 18 and over. We do not knowingly collect personal data from children. If you believe a child has provided personal data, please contact us and we will take appropriate steps to delete the data.

13. Automated Decision‑Making

We do not engage in automated decision‑making that produces legal effects or similarly significant effects on you within the meaning of UK GDPR Article 22.

14. Your Rights

Subject to conditions and exemptions in the law, you have the right to: access; rectification; erasure; restriction; data portability; and to object to processing based on legitimate interests. Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.

To exercise your rights, contact us at info@shotcrate.com. We may need to verify your identity. You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) — see Section 15.

15. Complaints

If you have concerns about our use of your personal data, please contact us first. You can also complain to the UK Information Commissioner’s Office (ICO): https://ico.org.uk/ (telephone: +44 303 123 1113).

16. Contact Us

For privacy questions or requests, email info@shotcrate.com. Postal correspondence may be sent to: 20 Preston St, Liverpool, United Kingdom, L1 6DQ.

17. EU/EEA Representative (where required)

If we are required to appoint an EU representative under GDPR Article 27, we will identify the representative and their contact details here or in the online version of this Policy.

18. Changes to this Policy

We may update this Policy from time to time to reflect changes in law or our processing activities. The updated version will be posted on the Website with a new effective date.

WORLDWIDE DECISION LTD (company number 15983118)

Registered office: 20 Preston St, Liverpool, United Kingdom, L1 6DQ